[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] why does our coverity-model.c g_strdup() say it is a si
|
From: |
Paolo Bonzini |
|
Subject: |
Re: [Qemu-devel] why does our coverity-model.c g_strdup() say it is a size-sink? |
|
Date: |
Thu, 14 Mar 2019 12:22:55 +0100 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.4.0 |
On 14/03/19 11:51, Peter Maydell wrote:
> Our coverity model of g_strdup() includes:
> __coverity_string_size_sink__(s);
>
> This seems to be causing Coverity to report false positives like
> CID1399705 and 1399699 where we take a string from getenv() and
> pass it to g_strdup() The getenv() string is untrusted data of unknown
> length, and g_strdup() being marked as a size-sink makes Coverity
> think the function wants "a string of a particular size".
>
> Markus, you wrote this model initially -- can you remember why it's
> marked as a size-sink? Unfortunately I can't find any documentation
> online about what the coverity model annotation here means :-(
I think it means that we don't want a g_strdup that can potentially do
an unbounded allocation.
Old versions of Coverity distributed the internal models as source, but
unfortunately the new ones don't. I would not be surprised if it was
just a cut-and-paste of the original strdup model, just with a different
marker for the g_malloc/g_free family of allocation functions.
Paolo
> Should we just mark up the issues as false-positives, or should
> we change our model ?
>
> thanks
> -- PMM
>